As you read the title, you're probably wondering if the wp-admin directory is already password protected. You must login successfully. Well, that's true, but to add an extra layer of security, popular sites often add an extra layer of authentication. A few days ago, we started seeing some suspicious activity on WPBeginner, so our host HostGator advised us to password protect our WordPress admin directory. Apparently popular sites like Mashable do the same thing. In this article, we'll show you a step-by-step guide on how to password protect your WordPress admin directory (wp-admin).
To keep things easy and simple, we will only cover cPanel web hosting companies here just because cPanel has a simple enough interface to add password protected directories.
Login to your cPanel. Scroll down until you see the Security tab. Click the “Password Protect Directories” icon.
When you click on that, a lightbox popup will appear asking for the location of the directory. Just click on the web root. Once you are there, navigate to the folder where your WordPress is hosted. Then click on the /wp-admin/ folder. You will see a screen like this:
Simply check the box to password protect the directory. Then create a user for the directory. That's it. Now when you try to access your wp-admin directory, you should see an authentication required box like this:
First create a .htpasswds file. You can do it easily using this generator. Upload this file outside of your /public_html/ directory. A good path would be:
Home / user / .htpasswds / public_html / wp-admin / passwd //
Next, create a .htaccess file and upload it to the /wp-admin/ directory. Then add the following codes there:
AuthName "Admins Only" AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd AuthGroupFile / dev / null AuthType básico requiere que el usuario escriba su nombre de usuario
You must update your username there. Also, don't forget to update the AuthUserFile location path.
Well this can happen depending on how your server is configured. To fix this issue, open your main WordPress .htaccess file and add the following code before the WordPress rules start.
ErrorDocument 401 por defecto
Well, there you have it. You now have dual authentication for your WordPress admin area. This is a good alternative to limit wp-admin access by IP address.
Update:Here's how to fix the Admin Ajax issue
If you password protect the WordPress admin directory, it will break the Ajax functionality on the front-end (if it is being used). In our case, we don't have any plugin that is using ajax on the front-end. But if you do, here's how you fix that problem.
Open the .htaccess file located in your /wp-admin/ folder (this is NOT the main .htaccess file we edited earlier).
In the wp-admin .htaccess file, paste the following code:
Orden permitida, negar Permitir de todo Satisfacer cualquiera